Active Directory Protection
Guard your workforce where identity actually lives.
Active Directory Protection blocks weak and breached passwords the instant they're set, audits every account continuously, and drives every risk to closure, inside standard Windows password workflows, with no plaintext leaving the domain controller.
Real-time enforcement
Policy enforced in real time, at the moment of change.
A password change is blocked the instant it fails any check:
Found in a leak dataset
Matched against billions of breached records: cloud, on-prem, or air-gapped.
Matches a blacklist rule
Forbidden words, banned terms, or predictable patterns.
Reuse detected
A previous or previously-blocked password can't be set again.
Violates NIST-aligned policy
Fails the password policy that applies to that user or group.
Contains personal identity data
Username, name, or email embedded in the password.
The moment of change
What happens in the seconds a password is set.
The whole exchange happens inside standard Windows password workflows: the filter intercepts the change on the domain controller, every check runs, and the user gets an instant verdict.
Blocked means blocked: the risky password is never set. And a confirmed risk stays open until the forced reset is verified clean: genuinely different, not itself compromised, and within policy.
Granular policy
Granular, not one-size-fits-all.
Static complexity rules give way to policies you scope precisely to who and where they apply. Set different rules at three levels so the right policy reaches the right people without blanket friction.
Organizational unit
Apply a baseline policy across an entire OU in one move.
Group
Tighten rules for privileged or sensitive groups without touching everyone else.
User
Set exceptions or stricter requirements down to the individual account.
Forbidden words
Forbidden words and blacklists, blocked in real time.
Company-specific terms
Company and brand names, product names, seasons, months, and local or industry words.
Personal identity data
Username, full/first/last name, and email address, denied anywhere inside the password.
Predictable structure
Dictionary words, repeated characters, consecutive numbers, and keyboard sequences.
Leak & similarity matching
Denies breached passwords plus normalized and near-match variants within a similarity distance.
Continuous auditing
Every password watched, continuously, not just at reset.
Always-on analysis
Existing and newly changed passwords evaluated continuously; exposure caught whenever it occurs.
Breached-password screening
Matched against cloud, on-premise, and air-gapped leak databases, with scheduled or real-time updates.
Exposure tracked over time
Accounts re-checked as new leaks surface; every finding followed from detected to remediated.
Structural weaknesses
Surfaces blank passwords, one password shared across many accounts, and old or weakly-stored formats.
Remediation to closure
The actions PassVision takes: detection to closure.
Force password reset
Automatically require the affected user to reset a compromised or non-compliant password.
Block the change
Reject a failing password outright at the point of change; the risky one is never set.
Notify the user
Alert the affected user directly, with the reason and the required action.
Alert an admin
Raise a context-rich alert to security, forwarded to your SIEM with full detail.
Reset verification.
Every forced reset is verified: PassVision confirms the new password is genuinely different, is not itself compromised, and meets policy before access continues. Proof of enforcement, not just a request.
Secure by design
Secure by design.
Every check runs on irreversible fingerprints: no plaintext password is stored or processed by the AD screening path. Enforcement lives inside your directory; no plaintext leaves the environment.
Common questions
Active Directory Protection, answered.
Is PassVision aligned with NIST 800-63B?
Yes. PassVision's policy engine is aligned with NIST 800-63B (blocking known-compromised passwords, removing arbitrary composition rules, and enforcing context-aware policy) and produces audit-ready evidence.
Can PassVision run on-premises or air-gapped?
Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.
The weak password never exists. The exposed one never hides.
Block it at the moment of change. Track every account continuously. Drive every risk to verified closure.